Tag Archives: PKI

Home LAB Setup guide – 07 Make your lab available over the internet

In the first part of this LAB setup guide, I described the hardware selection process.
In the second part, I described the hypervisor selection and installation.
In the third part, I described VM guest considerations and preparations.
In the fourth part, I described Configuring Server 2012 VM as DC with DNS and DHCP using PowerShell
In the fifth part, I described easily creating (many) proper AD users with PowerShell
In the sixth part, I described creating a local PowerShell v3 Help Repository with PowerShell

In this post I will describe how you can make your lab available over the internet.

When you’ve created your home LAB, you want to be able to use it anywhere. Depending on your situation, one of these options probably best meets your needs.

Examples include the use of:

  1. Remote desktop connection to your server
    + Easy to configure (enable on server and configure NAT forwarding if appropriate)
    – On many enterprise or public networks TCP3389 is blocked by the firewall.
    – Connects only to specific server. Even though you access the rest of the network from there.
  2. VPN connection to your network
    • Using your hardware router
      + Connection to network, not just a server.
      – No dependency on Windows Server
    • Using Windows Server 2008 / 2012
      + SSTP VPN (TCP443), is generally not blocked on enterprise/public networks.
      + Connection to network, not just a server.
      – Dependency on Windows server.
      – Requires more configuration.
      – The root CA certificate for the certification authority (CA) that issued the server authentication certificate needs to be into the store Local Computer\Trusted Root Certification Authorities. For a self-signed certificate, this means that you need to have local admin permissions to add it.Note: DirectAccess is a great feature, but it requires the client to be a member of the domain. And in my case this would limit where I can connect from, therefore I don’t plan to use it. For other situations it might be a better solution though.
  3. Using 3rd party tools like logmein, teamviewer or VNC
    + Connects only to specific computer.

Since I want to be able to connect from within enterprise environments as well, I chose to use SSTP VPN in Windows Server 2012. The basic steps you have to perform, include:

  1. On the server, you have to install and configure the VPN service.
  2. On the server or your own PKI, you would want create and install a machine certificate. You can create a Certificate Signing Request and request a 3rd party public certificate. Alternatively you can create a certificate using your own Certificate Authority, or you could create a self-signed certificate, For creating the self-signed certificate you can use the great PluralSight SelCert tool.
  3. On the client, you have to make sure the created certificate will be trusted. This means you have to add the certificate to local system\trusted root certificate authority if you’re using a self-signed certificate, which requires local administrator permissions on the client.
  4. On the client, you have to set-up the VPN connection to the server. Preferably you want to connect by DNS name. For your home lab you can also utilize dynamic DNS services like by example or alternative solutions.

For some more information, you can also take a look at this:


Tags: , , , , , , , , , , , , , , , , , , ,

Microsoft – Resources to get more familiar with Active Directory Federation Services (ADFS)

Nowadays more and more work, communication and collaboration involves multiple external parties. This can involve by example employees, customers, partners, suppliers, cloud providers/platforms/applications.

This means it is becoming increasingly important to have proper authentication and authorization methods in place for single sign on (SSO) so users can be more productive. Besides the ease-of-use It can also lead to better security.

Microsoft’s Active Directory Federation Services (ADFS) will make this possible. For more information on ADFS, here are some resources. Keep in mind though that while some information may be outdated, it will give you a broad idea of the concept and the inner workings. The current version of ADFS in Windows Server 2012 is 2.1 , while Windows Server 2008 uses 2.0

PS: Microsoft is moving more and more towards claims based authentication. Examples include Windows Server 2012 Dynamic Access Control and also SharePoint 2013 that has switched to claims based authentication by default now.

If you have some other resources that might be useful, please let me know so I can add them as well.


Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

%d bloggers like this: